• Home »
  • »
  • How To Set a Root CA to Untrusted on Mac OSX

How To Set a Root CA to Untrusted on Mac OSX

I decided to make a quick post on how to set a trusted root CA to untrusted in Mac OSX. As some people may or may not know, one of the root CA authorities was recently hacked and several rouge certificates were issued including one with a domain name of  .google.com. Now DigiNotar, which is the company in question, claims that the have revoked all the rouge certificates and all is well. However, me being involved in infosec and security I would rather not take any chances so I decided to set DigiNotar to a “trust never” level on my machine for the time being. Below I will outline the few simple steps to do this for any certificate authority on Mac OSX.

1. First thing we need to do is open up the applications folder and locate the Utilities directory.


2. Once inside the Utilities folder you need to locate the Keychain access icon


3. Once you select keychain access you will be presented with the following screen. The section we are interested in is System Roots so we need to select that.


4. You will then be presented with a list of all the root CA’s that the computer is configured to accept. Since we are only interested in changing the permissions for one specific signing entity we can run a search for it in the upper right hand corner. As you can see I have entered “DigiNotar” and only one entry poped up.


5. Next we need to right click on the certificate and select “Get Info”


6. The first drop down box in the list will have 3 choices. System defaults, Always Trust and Never Trust. Select never trust.


7. The system will now ask you for your password in order to make changes.


8. Once you have made the change I always like to go back and check to make sure it all worked. If you select get info again on the certificate, it should now look like this.


So thats about it. We have now successfully changed the trust level of a root CA on our machine and we should hopefully now not be accepting any certificates signed by DigiNotar since they were recently hacked. I hope this helps some one to learn how to secure your machine just a little bit better.